Cybersecurity Regulation Exemptions

23 NYCRR 500.19

Section 19 of the DFS cybersecurity regulation contains several exemptions. Each have been crafted to meet the particular circumstances of the Covered Entity, including smaller organizations, licensed persons who are following the cybersecurity program of another regulated company, or those who do not have any Information Systems and Nonpublic Information. Most exemptions are limited in nature and require Covered Entities to still comply with some provisions of the Regulation.

Filing Requirements: All regulated persons and companies that wish to claim an exemption must file with DFS a Notice of Exemption stating their current exempt status within 30 days of the determination that the Covered Entity is exempt.

To get started please visit the DFS Portal:

Instructions: Filing a New or Initial Notice of Exemption (PDF)

Exemption Guidance: To complete a Notice of Exemption, you must identify all exemptions that meet your circumstances. The following are explanations of the exemptions provided for in 23 NYCRR 500.19:

  • 500.19(a)(1) – You are entitled to this exemption when a Covered Entity has fewer than 10 employees, including independent contractors. This is a limited exemption and you must still design and implement a cybersecurity program that meets some but not all the regulatory requirements. This includes submitting an annual Certification of Compliance.
  • 500.19(a)(2) – You are entitled to this exemption when a Covered Entity has less than $5,000,000 in gross annual revenue in each of the last 3 fiscal years from NY business. This is a limited exemption and you must still design and implement a cybersecurity program that meets some but not all the regulatory requirements. This includes submitting an annual Certification of Compliance.
  • 500.19(a)(3) – You are entitled to this exemption when a Covered Entity has less than $10,000,000 in year-end total assets. This is a limited exemption and you must still design and implement a cybersecurity program that meets some but not all the regulatory requirements. This includes submitting an annual Certification of Compliance.
  • 500.19(b) – You are entitled to this exemption when you are an employee, agent, representative or designee of another Covered Entity and you are following that entity’s cybersecurity program. Under this exemption persons do not need to create their own program, but will be required to identify the Covered Entity’s whose program you are following to claim this exemption.& This exemption requires an employee, agent, representative or designee to be fully covered by the program of another Covered Entity. To submit a Notice of Exemption under 500.19(b) you will be required to provide the name and address of the covered entity that supports the cybersecurity program you are following and the name of an appropriate representative who can confirm that cybersecurity program.
  • 500.19(c) – You are entitled to this exemption if you are a Covered Entity that does not utilize an Information System and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information. This is a limited exemption and you must still complete an annual risk assessment to confirm that the company continues to be entitled to this exemption and meet some but not all the regulatory requirements. This includes submitting an annual Certification of Compliance.
  • 500.19(d) – A captive insurance company that does not control nonpublic information other than information relating to its corporate parent company. This is a limited exemption and you must still complete an annual risk assessment to confirm that the company continues to be entitled to this exemption and meet some but not all the regulatory requirements. This includes submitting an annual Certification of Compliance.

Provisions of the regulations that you still need to comply with if you are eligible for any exemptions:

Exemption

Exempt From

Still Required

500.19 (a) (1) Fewer than 10 employees working in NYS

500.04- Chief Information Security Officer
500.05- Penetration Testing and Vulnerability Assessments
500.06- Audit Trail
500.08- Application Security
500.10- Cybersecurity Personnel and Intelligence
500.12- Multi-Factor Authentication
500.14- Training and Monitoring
500.15- Encryption of Nonpublic Information
500.16- Incident Response Plan

500.02- Cybersecurity Program
500.03- Cybersecurity Policy
500.07- Access Privileges
500.09- Risk Assessment
500.11- Third Party Service Provider Security Policy
500.13- Limitations on Data Retention
500.17- Notices to Superintendent
500.18- Confidentiality
500.19- Exemptions
500.20- Enforcement
500.21- Effective Date
500.22- Transitional Periods
500.23- Severability

500.19 (a) (2) Less than $5 million in gross annual revenue

500.19 (a) (3) Less than $10 million in year-end total assets

 

Exemption

Exempt From

Still Required

500.19 (c) Does not control any information systems and nonpublic information

500.02- Cybersecurity Program
500.03- Cybersecurity Policy
500.04- Chief Information Security Officer
500.05- Penetration Testing and Vulnerability Assessments
500.06- Audit Trail
500.07- Access Privileges
500.08- Application Security
500.10- Cybersecurity Personnel and Intelligence
500.12- Multi-Factor Authentication
500.14- Training and Monitoring
500.15- Encryption of Nonpublic Information
500.16- Incident Response Plan

500.09- Risk Assessment
500.11- Third Party Service Provider Security Policy
500.13- Limitations on Data Retention
500.17- Notices to Superintendent
500.18- Confidentiality
500.19- Exemptions
500.20- Enforcement
500.21- Effective Date
500.22- Transitional Periods
500.23- Severability

500.19 (d) Captive insurance companies that do not control nonpublic information other than information relating to its corporate parent company

Filings of Behalf of Others - Bulk Exemption Filings

In some cases, an employer may opt to file an exemption with DFS on behalf of its employees through the Bulk Submission process. Covered Entities must request access to this functionality. If a Notice of Exemption is filed on your behalf, you will receive an email from DFS confirming the filing. The email will include a receipt number as well as list the exemption(s) filed. It is the licensed person’s responsibility to update DFS if their exemption status changes due to a change in employment or any other factor.

Changing or terminating a filed exemption

After an initial Notice of Exemption is filed it can be amended or terminated through the DFS Cybersecurity Portal. The amendment option should be used when the exempt status changes, but the person or entity remains entitled to an exemption. Amending an exemption will leave at least one exemption in place. Terminating an exemption will cancel all previously filed exemptions, including those filed through the Bulk process.

What to File if Licensed by DFS but not Currently Working in Field

500.19(c) applies to any regulated entity or licensed person that does not maintain any Information Systems and does not possess any Nonpublic Information. People who are currently licensed but not actively utilizing such license may fall into this category provided they are not maintaining nonpublic information concerning former or potential consumers or otherwise maintaining information or systems covered by the regulation. This is a partial exemption and still requires that the covered entity or licensed person comply with certain provisions of the Regulation (see chart above). These include the requirement to conduct a Risk Assessment and submit an annual Certification of Compliance to the Superintendent.